Cryptography and Information Security Group Research Project:
Exposure-Resilient Cryptography

Standard cryptographic definitions and constructions do not guarantee
any security even if a tiny fraction of the secret entity is
compromised. The goal of this project is to design cryptographic
primitives that remain provably secure even when an adversary is able
to learn almost the entire secret. Numerous applications
include combatting almost total key-exposure, enhancing the security
of block-ciphers, hash functions, constructing computational "gap"
secret-sharing schemes with shares as small as 1 bit, and building
exposure-resilient pseudorandom functions and pseudorandom generators.

Abstract: This paper studies All-or-Nothing Transforms (AONTs),
which have been proposed by Rivest as a mode of operation for block
ciphers. An AONT is an unkeyed, invertible, randomized transformation,
with the property that it is hard to invert unless all of the output
is known. Applications of AONTs include improving the security and
efficiency of symmetric-key and public-key encryption. We give several
formal definitions of security for AONTs that are stronger than the
original ones and are more suited to practical applications. We then
prove that Optimal Asymmetric Encryption Padding (OAEP), which was
originally introduced by Bellare and Rogaway in a different context,
satisfies these definitions (in the random oracle model). This is the
first construction of an AONT that has been proven secure in the
strong sense. The adversary's advantage in getting information about
the input of the OAEP is shown to be inversely exponential in the
number of bits removed from the output. Our bound is nearly optimal,
in the sense that no adversary can do substantially better against the
OAEP than by exhaustive search. We also show that no AONT can achieve
substantially better security than OAEP.

Abstract: We study the problem of partial key exposure.
Standard cryptographic definitions and constructions do not guarantee
any security even if a tiny fraction of the secret key is compromised.
We show how to build cryptographic primitives, in the standard model
(without random oracles), that remain secure even when an adversary is
able to learn almost all of the secret key.

The key to our approach is a new primitive of independent
interest, which we call an Exposure-Resilient Function (ERF) --
a deterministic function whose output appears random (in a perfect,
statistical or computational sense) even if almost all the bits
of the input are known. ERF's by themselves efficiently solve the
partial key exposure problem in the setting where the secret is simply
a random value, like in private-key cryptography. They can also be
viewed as very secure pseudorandom generators, and have many other
applications.

To solve the general partial key exposure problem, we use the
(generalized) notion of an All-Or-Nothing Transform (AONT), an
invertible (randomized) transformation T which, nevertheless,
reveals ``no information'' about x even if almost all the
bits of T(x) are known. By applying an AONT to the secret key of
any cryptographic system, we obtain security against partial key
exposure. To date, the only known security analyses of AONT
candidates were made in the random oracle model.

We show how to construct ERF's and AONT's with nearly optimal
parameters. Our computational constructions are based on any one-way
function. We also provide several applications and additional
properties concerning these notions.